SecurityFocus: Windows More Secure Than Linux

Seen this on WinInformat.com: “For at least the first 8 months of 2001, open-source poster child Linux was far less secure than Windows, according to the reputable NTBugTraq, which is hosted by SecurityFocus, the leading provider of security information about the Internet.”“(The company’s 2001 statistics are available only through August 2001 for the time being.) According to NTBugTraq, Windows 2000 Server had less than half as many security vulnerabilities as Linux during the reported period. When you break the numbers down by Linux distribution, Win2K had fewer vulnerabilities than RedHat Linux 7.0 or MandrakeSoft Mandrake Linux 7.2, and it tied with UNIX-leader Sun Microsystems Solaris 8.0 and 7.0. A look at the previous 5 years–for which the data is more complete–also shows that each year, Win2K and Windows NT had far fewer security vulnerabilities than Linux, despite the fact that Windows is deployed on a far wider basis than any version of Linux. So once again, folks, you have to ask yourselves: Is Windows really less secure than Linux? Or is this one of those incredible perception issues?”

We would like to suggest caution when reading the table with the vulnerabilities. When an operating system has a very small number of vulnerabilities it may be because it is not a widespread OS, not because it is more secure, eg. BeOS or AIX. The more popular/used the OS is, the more vulnerabilities are uncovered. Linux holds around 25% of the server market and around 1% of the desktop market, both numbers significantly smaller than the Windows line of OSes, which makes the statistics discussed here today, even more gloomy for Linux’s security.

About The Author

30 Comments

2002-02-03 9:13 pm

i find this really amazing. if so many supposedly great developrs are working on linux, can’t they see that it is missing any sign of elegance or the presence of a single modern feature. for god sakes, a single person can come up with something so much more neat!!!!

people should just stop bashing MS, they people woring there are very intellegent and it shows in the products. period!

fuck linux GUIs, look at LiteStep!! it shows that LiteStep programmers are much smarter and ages ahead of linux morans. the good thhing about Linux is that it provides a giant toilet for all stupid programmers to shit in!

so all linux developers: please stick to linux!!! you shit is highly welcomed there.

thank you.

2002-02-03 9:17 pm

And you, please write your opinions in a more elegant and lite(step) way, or you will be banned for being too agressive. Over here, ain’t no ./, I would appreciate if our readers try to be a bit more open minded and kind to others.

Thank you.

2002-02-03 9:25 pm

sorry. i apologize! you are right

2002-02-03 9:33 pm

This is only the reported vulnerabilities. MS is now pushing to not have the vulnerabilities published right away, and who knows how many are never published, our are wrapped up into one fix! These numbers track the reported vulnerabilites, no matter how big or small. For all we know, the linux ones could just be each and ever little security issues, while the MS ones, are large or multiple vulnerabilities, wrapped up into one report.

What I’m trying to say is that anyone can make anything look bad with numbers, depending on how those numbers are obtained.

2002-02-03 9:49 pm

And learn to spell moron correctly you moran.

2002-02-03 9:50 pm

hmm Suse is a linux and has less vulnerabilities than Solaris or NT/2k, that’s the point of that article?

that all the vulnerabilities that you can found on EVERY linux distro can’t be less that the vulnerabilities that you can find on a SINGLE product?

hmmm

don’t ask too much please

(NOTICE most vulnerabilities are in software that can be replaced with other that hasn’t that and those aren’t kernel related)

2002-02-03 10:31 pm

Mac OS X server havent had one vulnerability the last two years…! Well, I know that Mac OS isnt that mainstream, at least not on the serverside, but nontheless…!

2002-02-03 10:39 pm

lu_zero is right. How could the folk from securityfocus say that linux has more vulnerabilities than Win2K/NT when they just sum up linux vulnerabilities of distros. That s*x. If we sum up all those vulnerabilities of Win series (finals of all 3.11, 95, 98, 98se, NT, 2000 and XP) ? Still less vulnerable?

2002-02-03 10:44 pm

The vulnerabilities index is useful strictly as a count of vulnerabilities! It says nothing about the relative severity of each. For example, Microsoft likes to tout the fact that Apache has vulnerabilities too, “just like” IIS. However, IIS has root-exploit holes on a fairly frequent basis. Apache’s “vulnerabilities” are mostly trivia that don’t affect real-world servers much. I’ll take a dozen such Apache “vulnerabilities” and let Microsoft keep their single IIS vulnerability that gives cräx0rz total control of the server …

2002-02-03 11:43 pm

First all they are mainly sponsered by Microsoft. But that doesnt mean they are downrigth lying.

Look at the scores, there’s just one windows 2000, but multiple versions of the linux distros, but new and old.. In other words, they dont count the holes in pre-SP1, SP2 windows 2000, but they count the ones in Redhat 7.0 and 7.1.. Remember Red Hat sells uptodate CD’s unlike Microsoft, but its still free to patch linux, just like windows.

I always love when I spot the flaw.. But yes Mandrake does suck, no excuse there.

2002-02-03 11:57 pm

I was under the impression that under linux a person could just scroll through the source code and the security bugs would pop out at you and they could be instantly fixed.

2002-02-04 12:00 am

Just look at debian; It uses a linux kernel. The bugs are probably mostly not even in the kernel, but in the GNU part of GNU/Linux. And Debian GNU/Linux is much more secure than Microsoft Windows NT. This article is just flame bait.

Bill Gates recently said Microsoft is focusing more on scurity than on new features for now. That’s probably not because he’s is satisfied with Windows security, allthough I doubt he cares much about it except for bad press.

–martijn

2002-02-04 12:00 am

It should also be taken into account the a) severity (as another poster already mentioned) and b) the turnaround on fixing those vulerabilities. As well as HOW they were found and reported. All OS’s have vulnerabilities, but in my experience the turnaround for getting a fix from any of the *ix camps seems to be a lot faster than with companies like MS.

No system is secure out of the box, however, and should never be considered as such.

2002-02-04 12:04 am

Actually, there was a major vulnerability with Mac OS X 10.1 where if you performed the right commands, you could access the system as root, even if the root user account wasn’t enabled in NetInfo Manager.

If you do an install of 10.1, it will be one of the first things Apple wants you to install when the Software Update window opens.

2002-02-04 12:10 am

I think this article is good evidence of Microsofts new founded move into better secutiry.

As with moth microsoft moves, they tend to focus arround the marketing department a couple of years before/if we ever see them in real life.

You can’t just label compare security factors with a table like that. I think a far more in depth analysis is required. There are so many more factors to look at than the raw number.

Maybe i am just anti-MS but i still would trust linux of windows, but at the end of the day it all comes down to the sysadmin anyway.

P.S. Don’t NT servers get defeced like 4 times more than Linux servers? i seem to recall seeing this figuire from one of those sites that mirror defacements. I think that figure though still not accurate would be somewhat more of a realworld figure for security.

Our discussions about the ‘flaws’ of this approach (where statistics can make anything you wnat look good or bad) are below the threshold of Joe’s hearing. The message has escaped, ready to be relayed over and over.

2002-02-04 1:40 am

Unlike the Linux distributions jimbo’s OS had zero reported security vulnerabilities in 2001. It also had zero sales, zero users, zero applications and zero interest, because jimbo hasn’t written an OS, he just likes to rant and rave.

Joe User is not a problem. Joe User runs Gimp in Windows. Joe User will happily run Debian GNU/Linux if that’s what everyone else runs. Don’t worry about Microsoft’s advertising dollars, the simple truth is that Joe User and his millions of comrades will take Free Beer over any other beer. (We actually surveyed people in all seriousness, and zero cost was an overriding factor)

If you want to worry about Microsoft’s power, worry about their ability to influence big business and government. A certification here, a law passed there, some terminology changed in another place and the freedom we offered you will be snatched away. Use it or lose it.

2002-02-04 1:50 am

Tell me..how is it possible that linux is less secure than Windows NT/2000 when every distro except for Red Hat had fewer vulnerabilities in 2001? That makes about as much sense as adding up the total vulnerabilities in every operating system and saying “see Windows 2000 is more secure than every other OS”. That is just faulty logic.

2002-02-04 2:47 am

Reading the stats, I find it rather remarkable that the DOS-based Windows series has less known exploits than RedHad or the NT-based Windows versions.

That OS X exploit is harmless on a server: The root-shell thing works only with physical access to the computer.

2002-02-04 3:52 am

> Don’t worry about Microsoft’s advertising dollars, the

> simple truth is that Joe User and his millions of comrades

> will take Free Beer over any other beer. (We actually

> surveyed people in all seriousness, and zero cost was an

> overriding factor)

Not true. From our survey, Joe User by far choose to pay a beer they know and can drink on the spot, than a free beer that take 6 month of study for a non-geek to understand how to drink it.

2002-02-04 5:05 am

i would imagine it’s far easier to find bugs by looking at the source. is it reasonable to assume that more people are combing through open source than there are people combing through win2000 code?

2002-02-04 7:03 am

As Benjamin Disraeli said once, “there are lies, damn lies and statistics”. In other words, you can use statistics to prove whatever you want, provided you twist them the right way. Just look at the gun debate in the USA. Both the NRA and their opposition use statistics to back their claims. Sometimes they even cite the same reports, twisting the statistics to suit themselves.

So how did these people come up with the idea the Windows is more secure than GNU/Linux? Firstly, they decide to compare entire distributions with Windows. What does Windows include? An OS, a single bloated UI and some simple tools, that’s all. What does your typical GNU/Linux distro contain? An OS, full development tools, full server tools, several UIs and toolkits (both CLI and graphical) and a great many applications. In other words, the average GNU/Linux distro contains more stuff than everything ever made my MS put together. Yet it is being compared only to Windows.

Secondly, we should take into consideration how these bugs were found, and how quickly they were quashed. Were these bugs found by developers, independent security experts (whitehats) or crackers (blackhats)? In the open source world, most vulnerabilities are found by the developers. Open source allows peer review, where anybody can look at the code and report vulnerabilities. If there is a problem, everyone will know about it quickly. Since everyone knows of the problem, a fix needs to be released quickly. Conversely, MS can keep vulnerabilities under wraps if they are found, and so have little pressure to release a fix. In fact, proprietary software companies try to minimise the amount of patches that they release, for it is annoying for a user to contunuously install new fixes. It also makes the company look bad to the end-user, giving the impression that there are many problems with the software which they have bought. In the MS world, many vulnerabilities are found by independent security auditors. Many vulnerabilities are also found by crackers, who are willing to use them to compromise a system.

Thirdly, how bad are the exploits? The MS exploits are often more damaging in effect and easier to deploy than the ones for GNU/Linux.

Fourthly, the statistics neglect to show the many tens of thousands of worms, trojans and virii available for Windows. It has been estimated that businesses lose about US$15 billion a year due to these. There are only a handful of trojans and virii available for GNU/Linux, and the holes which they exploit have been fixed long ago. There are no GNU/Linux virii at all.

2002-02-04 7:56 am

Hello,

Am I missing something or is there a wrong shortcut when they say :

“NTBugTraq, which is hosted by SecurityFocus”

NTBugTraq is the mailing list moderated by Russ Cooper (probably hosted by RC or its employer TruSecure Corporation) while SecurityFocus is the well known “leading provider of security information” hosting the BugTraq mailing list.

Disclaimer:

If I’m wrong, sorry about that

I don’t state anything about the quality of NTBT, BT or SecurityFocus

I’m a subscriber to both lists, and I like them for what they are.

Cheers,

2002-02-04 8:35 am

Eugenia ,

curious, how do you plan to ban people with the multitude of anonymous proxies available?

2) gnu/linux: GNU != LINUX. linux itself has only has a few vulnerabilities (the last was the capabilities thing) 99% of the vulnerabilities are in the system code: ie GNU. this means that choice of packages can make a big difference (vixie cron vs. anacron)

3) windows boxen are not updated: UNIX admins usually keep their boxen up to date. since source is available, its no big deal, just download the latest & compile. windows users have to use the MS download centre which is slow and spies on you. so most dont bother.

this is why ramen had nearly no impact, but nimda.32 is running rage on the college network…

Emphasise “seem” here. While “buffer overflows are easier to find and exploit successfully”, open source and peer review can enable these problems to be found and fixed faster by whitehats. In the closed source world, bugs can go unnoticed (or ignored by the vendor) for long periods of time (even years), because the code is unavailable to most whitehats. An exploit may have been in use for months or years before it is discovered by whitehats, then it can be even longer to have the problem resolved by the vendor.

2) gnu/linux: GNU != LINUX. linux itself has only has a few vulnerabilities (the last was the capabilities thing) 99% of the vulnerabilities are in the system code: ie GNU. this means that choice of packages can make a big difference (vixie cron vs. anacron)

Very true. Since the GNU system is used on top of many other kernels (FreeBSD, NetBSD, OpenBSD, HURD, etc.), those OSs may have the same vulnerabilities as GNU/Linux.

3) windows boxen are not updated: UNIX admins usually keep their boxen up to date. since source is available, its no big deal, just download the latest & compile. windows users have to use the MS download centre which is slow and spies on you. so most dont bother.

Another problem is that Windows (or an app) needs to be restarted for many changes to take effect. Uptime is important in the server world, and so sysadmins are reluctant to install the patches. GNU/Linux (and many Unicies) only require a reboot if the core kernel is changed.

this is why ramen had nearly no impact, but nimda.32 is running rage on the college network…

Also, Ramen exploited a (Red Hat specific) hole that had been addressed long before the outbreak. Only servers that hadn’t been updated were infected. Ramen was mostly benign, whereas Nimda (and Code Red/Green/Blue, etc.) was vicious. It is far more difficult to design a worm or trojan for GNU/Linux than it is for Windows. Even if one is written, it is unlikely to be anywhere near as dangerous as its Windows counterparts.

2002-02-04 6:18 pm

Linux security vs. Windows security: isn’t this basically a battle for last place?

2002-02-05 1:19 am

This report is flamebait. Plain and simple. Of course all security bugs vary in degree of severity. Even OpenBSD, which even the religious hardliners will admit is probobly the most secure OS produced to date, produces dozens of security patches monthly. Just take a look at their website under the errata section. Based on the conclusion presented by NTBugTraq, one could conclude that OpenBSD is one of the least secure OS’s out there. They would be foolish, but they could say such a thing, post it on their website, and invite flames from all over the galaxy.

Just let it go people. This is simply Uncle Bill trying to get a rise out of us.

2002-02-05 2:57 pm

NSA has, for years, examined and Evaluated OSs based on a series of classes.

A-1 is the highest, has been achieved by only one OS and is not economically feasible to achieve by a commercial OS.

B-3 is the next highest and has been achieved by only one general purpose OS (STOP on the XTS-300)

B-2

B-1

C-3

C-2 where Windows NT resides but not when networked

etc

I don’t see OpenBSD on the list.

So I’m a bit unsure why you assert that OpenBSD is the consensus “most secure OS”.

2002-02-06 3:48 pm

Hint: C2 does not evaluate operating systems. NT is not evaluated for C2, W2K is not evaluated for C2, no version of Unix is evaluated for C2.

Instead a specific system (multiple pieces of hardware, installed software, documentation and the whole pile of procedures) is evaluated, and only conclusions about that system can be drawn from C2 certification. Any “My OS has B-2 and yours has C-2 so mine is better” judgements are on the face of it nonsense UNLESS you implemented the system described in the C2 certification.

OpenBSD is acclaimed as most secure by consensus of people who care about secure systems, not people who count trophies. OpenBSD is not perfect, because it’s made by people. But rather than paying lip service to security their time is spent implementing it. They review code, fix bugs (all security holes are bugs, but it is surprising how many bugs are also security holes!) and work to the principle of “secure by default”. The result is definitely a more robust and secure OS out of the box.

Still, as I’ve said in other threads, OSNews is plagued by parrots endlessly repeating their party line “Squark! NT is C2 Secure” “Squark! Unix is 1970s technology”, etc. Eventually this will probably just make everyone else leave like in the already barren OS forums.